The new audit requirements for Employee Benefit Plan Audits represent the most significant changes impacting Employee Benefit Plans since Congress enacted the Employee Retirement Income Security Act (ERISA) in 1974 to help protect retirement benefits for workers covered by private pension plans.
The new standard (SAS No. 136) replaces the “limited-scope audit” with the ERISA Section (a)(3)(C) audit and prescribes certain performance requirements. The audit requirement changes the form and content of the auditor’s report and expands the responsibilities of both the auditor and the plan sponsor.
Plan sponsors are grappling with these expanded responsibilities. UHY has developed 10 tips to help you fulfill your responsibilities, as well as help create a seamless audit experience.
Review documents including the prototype or volume-submitter document (if not specifically designed) as well as the adoption agreement and amendments. You also should review the plan’s eligibility, compensation, contributions, and benefits payment provisions.
If the plan is using a prototype or volume submitter plan document, the plan document will be amended and restated in 2021 or at the latest by the end of 2022 to bring the Plan into compliance with the legislative and regulatory changes set forth in IRS Notice 2017-37 (i.e., Cycle 3 restatement) which would include the amendments due to the Secure Act, the CARES Act and the Consolidated Appropriations Act (if not previously done)).
A plan with straightforward provisions reduces the risk of error while complexities can increase that risk. Examples of complexities include compensation exclusions, employer contributions, and vesting rules. If complexities exist, be aware of them and add controls to mitigate the risk of operational errors.
This includes enrollment, payroll calculations, and calculations of contributions, as well as email notifications and employer contributions. You should also consider ways to streamline the interface from your 401(k) provider to your payroll provider. Put controls and procedures in place that address what could go wrong.
Store or maintain your suite of plan documents together, including the prototype plan or volume submitter document, adoption agreement, and summary plan description, as well as the current fidelity bond, latest IRS determination letter and minutes from the governing body or from discussions with investment advisors. Review your ERISA fidelity bond coverage limit to make sure it is sufficient or consider adding an “inflation guard” which automatically raises the coverage to meet the requirements of ERISA.
For participant data, keep a checklist of information needed for each employee that includes beneficiary forms, email notifications, and required communications with participants. Create another checklist for distributions that includes termination, participant loans, and hardship withdrawals.
Service providers engage CPA firms to perform a review of and test their internal controls. As you review the reports, look for the scope of the audit opinion issued to determine if there are any exceptions in the testing results. You should also look to answer these questions:
This should be done on a payroll-by-payroll basis to determine if contributions are missing and help avoid delinquent contributions, which leads to additional costs. Administrators should also periodically match the type of employee contribution into the remittance file. This helps ensure that loan repayments do not suddenly stop. Some CFOs reconcile on a weekly basis after each pay period to make sure that differences or issues are immediately addressed and compare the total remittances at the end of the year to the W3.
The DOL has established reporting requirements included in the audited financial statements and Form 5500. It also has procedures for employers to reimburse participants for lost earnings on days those contributions were not invested timely. Contributions must be remitted to the plan custodian as soon as administratively possible, and remittances must be consistent. Do not remit employee contributions in one day, then each pay period at different intervals because the DOL could consider anything over one day as late. If you make a mistake, fix it to avoid possible penalties and interest.
When documenting meetings with service providers, note the date, who attended, and a brief list of discussion items. You should also document discretionary contributions, investment selections, and service provider expenses and reviews. Other items to document are discretionary contributions, investment selections, and service provider expense and reviews. Provide your auditor with a copy of these minutes.
ERISA attorneys advise that the Employee Benefits Security Administration (EBSA) has a cybersecurity audit questionnaire that addresses cybersecurity risk mitigation. The investigator has asked plan sponsors for its IT policy, cybersecurity risk insurance policy, and evidence of its TPA cybersecurity risk insurance coverage.
Investing in bitcoin for retirement plans is being considered by some companies. If you are an administrator of a 401(k) plan, it is best to meet with advisory teams to become aware of all possible risks.